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1  Statement  of  the  Problem 

This  pro  ject  is  devoted  to  the  study  of  diagnosis  of  additive  malfunctions  in  linear 
dynamic  systems.  T  his  class  of  failures  is  relevant  to  control-actuator  failures  in 
aircraft,  as  well  as  to  other  situations.  In  particular,  we  are  interested  in  optimizing 
multi-hypothesis  maximum-likelihood  algorithms  for  malfunction  diagnosis,  since 
this  concept  is  the  most  widely  accepted  basis  for  automatic  malfunction  diagnosis. 

The  engineering  system  to  be  studied  is  a  linearized  aerodynamic  model  for 
small  disturbances  about  a  reference  condition  of  steady  rectilinear  flight  over  a 
flat  earth.  The  advantage  of  this  system  is  its  simple  description  of  a  wide  range 
of  aerodynamic  situations,  and  the  fact  that  control-actuator  malfunctions  can  be 
modelled  as  additive  failures. 

The  formulation  of  a  multi  hypothesis  algorithm  Tor  malfunction  diagnosis  in¬ 
volves  the  choice  of  a  set  of  hypothesized  malfunctions.  On-line  measurements  of 
the  system  are  compared  with  the  behavior  to  be  expected  from  each  hypothesized 
failure,  and  a  likelihood-ratio  algorithm  is  used  to  identify  the  hypothesized  failure 
which  is  most  likely  to  have  given  rise  to  the  observed  measurements.  Optimiza¬ 
tion  of  such  an  algorithm  centers  on  the  choice  of  the  set  of  failure  hypotheses: 
How  many  failure  hypotheses  should  be  chosen,  and  what  should  those  failure 
hypotheses  be? 

The  methodology  of  convex  modelling  presented  in  this  report  is  to  be  used  to 
address  these  questions.  Convex  modelling  provides  two  distinct  tools  for  optimiza¬ 
tion  of  malfunction  diagnosis  algorithms.  The  first,  called  benchmark  diagnosis,  is 
an  assessment  of  the  best  state  space  malfunction  diagnosis  capability  which  can 
be  obtained  by  any  state  space  algorithm,  whether  based  on  the  multi-hypothesis 
maximum-likelihood  concept,  or  not.  Evaluation  of  the  optimum  diagnosis  capa¬ 
bility  is  used  as  a  benchmark,  against  which  the  performance  of  implementable 
algorithms  can  be  compared.  The  second  tool  provided  by  convex  modelling, 
called  multi- hypothesis  distinguish  ability,  enables  assessment,  of  the  malfunction 
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diagnosis  performance  of  a  specific  multi-hypothesis  algorithm.  This  enables  the 
quantitative  comparison  of  the  performance  of  multi-hypothesis  malfunction  diag¬ 
nosis  algorithms  based  on  distinct  sets  of  failure  hypotheses.  Optimization  of  the 
malfunction  diagnosis  algorithm  is  based  on  these  comparisons.  For  example,  the 
performance  of  different,  sets  containing  N  failure  hypotheses  can  be  compared,  and 
the  best  set  of  hypotheses  can  be  sought.  Furthermore,  the  utility  of  the  marginal 
(( N  +  l)th)  hypothesis  can  be  established  by  comparing  the  best  TV-fold  set  of 
hypotheses  with  the  best  (N  +  l)-fold  set.  Finally,  the  multi-hypothesis  diagnosis 
capability  of  any  specific  implementable  algorithm  can  be  compared  with  the  best 
possible  malfunction  diagnosis  capability,  as  expressed  by  the  benchmark  distin- 
guishability.  In  this  way,  rational  design  decisions  can  be  made  in  the  formulation 
of  a  multi-hypothesis  maximum-likelihood  algorithm  for  malfunction  diagnosis. 

2  Background  and  Approach 

The  diagnosis  of  additive  malfunctions  in  linear  dynamic  systems  has  been  stud¬ 
ied  from  various  points  of  view.  Fiorina  and  Maffezzoni  (1979)  use  the  generalized 
likelihood  ratio  to  detect  additive  step  failures  in  the  Italian  power  system.  Kerr 
( I  982)  discusses  the  application  of  the  confidence  region  concept  to  the  detection  of 
additive  failures  relevant  to  inertia!  navigation  systems.  Willsky  and  Jones  (1976) 
discuss  adaptive  filtering  and  its  application  to  the  detection  of  additive  failures 
in  linear  systems.  Caglayan  (1980)  establishes  conditions  for  detectability  of  ad¬ 
ditive  jump  failures  in  linear  systems.  Nash  ri  al  (1971)  use  optimal  smoothing 
to  model  step,  ramp  and  other  additive  disturbances  to  gyroscopic  inertial  navi- 
gal  ion  systems.  Barub  uses  a  modal  method  to  detect  actuator  (1986)  and  sensor 
(1987)  failures  in  distributed  systems.  Massoumnia  and  Vander  Velde  (1988)  use  a 
parity-check  technique  to  diagnose  sensor  and  actuator  failures  in  linear  systems. 

A  primary  challenge  in  diagnosing  a  malfunction  arises  from  the  uncertainty 
in  the  form  and  properties  of  the  failure.  Determination  of  the  best  possible 
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malfunction  diagnosis  capability  depends  on  modelling  the  failure  uncertainty.  A 
set-theoretic,  rather  than  probabilistic,  representation  of  uncertainty  in  the  fail¬ 
ure  is  employed  in  this  work.  This  approach  is  motivated  by  the  lack  of  detailed 
probabilistic  information  on  the  possible  failures.  Set  theoretical  representations 
of  uncertainty  have  been  employed  in  a  wide  range  of  engineering  applications. 
Schweppe  (1968,  1973),  Bertsekas  and  Rhodes  (1971),  Witsenhausen  (1968a, b), 
Schmitendorf  (1987),  Tempo  (1988)  and  others  have  used  unknown-but-bounded 
set  theoretic  models  to  represent  uncertain  inputs  in  the  control  and  estimation 
of  linear  systems.  Ben-Haim  (1986,  1989)  has  represented  uncertain  malfunctions 
in  dynamical  systems  with  a  set-theoretical  approach.  Ben-Haim  (1985)  has  used 
set  models  of  uncertainty  in  the  optimal  design  of  assay  systems  for  measuring 
spatially  random  material.  Ben-Haim  and  Elias  (1987)  have  represented  uncer¬ 
tainty  in  inverse  heat  transfer  measurements  with  sets  of  spatially  varying  heat 
transfer  coefficients.  Ben-  Haim  and  ElishakofF  (1989)  have  described  geometric 
imperfections  in  thin  shells  using  sets  of  imperfection  functions.  Common  to  all 
these  treatments  of  uncertainty  is  the  fact  That  convex  seta  of  functions  charac¬ 
terize  the  uncertain  temporally  and/or  spatially  varying  quantity.  This  approach 
will  be  succintly  referred  to  as  convex  modelling. 

A  multitude  of  powerful  concepts  for  failure  diagnosis  has  been  developed,  but 
a  comprehensive  methodology  for  designing  diagnosis  algorithms  is  lacking.  One 
component  in  an  overall  design  analysis  is  the  determination  of  the  best  diagnosis 
capability  which  can  be  attained  by  any  state  space  algorithm.  The  benchmark 
diagnosis  developed  in  this  report  does  precisely  that  for  additive  failures  in  a 
linear  deterministic  dynamic  system. 

A  common  approach  to  malfunction  diagnosis  is  based  on  hypothesizing  a  set 
of  possible  malfunctions,  and  then  subjecting  measurements  of  the  system  to  a 
maximum  likelihood  test,  in  order  to  decide  which  hypothesized  malfunction  is 
most  likely  to  have  given  rise  to  the  measurements.  This  approach  is  appealing 
for  several  reasons.  The  concept  of  maximum  likelihood  is  intuitively  satisfying  as 
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a  criterion  of  optimality.  In  addition,  prior  information  about  the  system  can  be 
exploited  by  judicious  selection  of  the  hypothesized  malfunctions. 

The  performance  of  a  multi-hypothesis  algorithm  for  malfunction  diagnosis  is 
limited  by  the  disparity  between  its  finite  set  of  hypothesized  malfunctions  and 
the  infinity  of  possible  failures.  A  large  number  of  hypothesized  malfunctions  is 
usually  deemed  necessary  for  reliable  diagnosis  in  the  presence  of  the  substantial 
uncertainty  which  accompanies  the  occurrence  of  failures.  However,  real-time  im¬ 
plementation  of  a  multi-hypothesis  algorithm  of  high  multiplicity  is  problematical. 
The  second  concept  developed  in  this  report  multi-hypothesis  distinguishability 
provides  a  method  for  evaluating  the  performance  of  a  multi-hypothesis  algo¬ 
rithm  with  respect  to  failure  uncertainty.  This  performance-evaluation  forms  the 
basis  for  selecting  a  robust  and  efficient  collection  of  hypothesized  malfunctions. 

3  Normal  Dynamics  and  Control  of  the  AFTI/F16 

3.1  Formulation  of  the  Normal  Dynamics 

The  representation  of  the  dynamics  of  the  AFT1/F16  aircraft  is  based  on  data 
presented  by  Schneider  (1986).  The  dynamics  for  steady-state  linearized  flight  are 
presented  in  state  space  form  as: 

—  =  Ax  A-  Bn  ( 1 ) 

at 

where  x  is  an  8-dimensional  state  vector,  u  is  a  6-dimensional  control  vector,  and 
/I  and  R  are  constant  dynamics  and  control  matrices.  The  8  state  variables  are: 
pitch  angle,  forward  velocity,  angle  or  attack,  pitch  rate,  bank  angle,  sideslip  angle, 
roll  rate  and  yaw  rate.  The  6  control  variables  are:  right  and  left  horizontal  tails 
(elevators),  right  and  left  wing  flaps,  canards  (operated  symmeti  ically)  and  rudder. 
The  structure  of  matrices  A  and  R  are  reproduced  in  tables  1  and  2. 
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3.2  Formulation  of  an  Automatic  Controller 

An  automatic  controller  has  been  formulated  for  the  linear  dynamic  model  de¬ 
scribed  in  the  previous  subsection.  The  aim  of  the  controller  is  to  restore  the 
state  variables  to  nearly  zero  values,  by  applying  control  proportional  to  the  state. 
The  duration  of  the  control  period  is  fixed,  and  denote  as  tj.  The  feedback  gain 
is  chosen  so  as  to  minimize  the  integrated  state-variable  deviations  from  zero,  to 
minimize  the  integrated  control,  and  to  minimize  the  magnitude  of  the  final  state 
variables.  Specifically,  the  control  is  required  to  minimize  the  following  expression: 

</ 

J  —  (x1  Sjx)if  +  J  [xJ  R.x  +  ? iTViij  di  (2) 

0 

With  this  formulation  it  can  be  shown  (Bryson  and  Ho,  1975,  p  148-53),  that 
the  control  vector  is  given  by: 

«(<)  =  -V-' BT S(i)x{i)  (3) 

where  the  gain  matrix,  S(l),  must  satisfy  the  following  differential  matrix  Riccati 
equation: 

~  =  ~SA  -  AtS  +  SBV~'  BtS  -  R  (4) 

with  the  endpoint  boundary  condition:  S(t.j)  =  Sf. 

3.3  Numerical  Demonstration  of  the  Normal  Dynamics 

I  he  dynamical  behavior  of  the  AFT1/F16  aircraft  model  employed  in  this  project 
is  briefly  demonstrated  in  this  section.  Open-loop  and  closed-loop  flight  is  pre¬ 
sented.  In  the  open-loop  mode  one  of  the  control  variables  is  fixed  at  a  non-zero 
value,  while  the  others  are  all  fixed  at  zero.  The  dynamic  behavior  is  calculated 
from  eq.(l).  In  the  closed-loop  mode  the  flight  is  initiated  as  in  the  open-loop 
mode:  with  one  fixed  non-zero  control  function.  The  time  dependent  controller 
is  actuated  as  soon  as  any  of  the  state  variables  exreeds  a  preset  threshold  value. 
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0 
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0 

0 
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-55.2526 

-2.80004 

0.145674 

0 

0 

0 

0 

0 

7.23700 

-0.0231840 

-0.362530 

Table  1:  The  Matrix  A.  The  units  of  the  state  variables  are  radians,  radians/sec 
or  feet/sec  (after  Schneider,  (1986)). 
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0 

0 

0 

0 

0 

1.00296 

1.00296 

1.15840 

1.15840 

0 

0 

-0.0746135 

-0.0746135 

-0.122462 

-0.122462 

0 

0 

-12.0291 

-12.0291 

-3.23635 

-3.23635 

0 

0 

0 

0 

0 

0 

0 

0 

0.0133045 

-0.0133045 

-0.0006855 

0.0006855 

0.0267340 

0.0370320 

-25.3645 

25.3645 

-25.5251 

25.5251 

5.53185 

10.3955 

-2.56855 

2.56855 

-0.625030 

0.625030 

5.89254 

-5.80890 

Table  2:  The  Matrix  B.  The  units  of  the  state  and  control  variables  are  radians, 
radians/sec  or  feet/sec  (after  Schneider,  (1986)). 
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Symbol 

State  Variable 

Control  Variable 

octagon 

pitch 

right  elevator 

A 

forward  velocity 

left  elevator 

+ 

angle  of  attack 

right  wing  flap 

X 

pitch  rate 

left  wing  flap 

diamond 

roll 

canard 

T 

yaw 

rudder 

table 

roll  rate 

— 

Z 

yaw  rate 

Table  3:  Legend  for  figures  in  this  section. 

The  controller  is  operated  for  the  duration  of  if  =  0.15  seconds.  At  the  end  of  this 
control  period  the  control  actuators  are  all  fixed  at  their  last  values,  and  the  flight 
is  continued  in  open-loop  (fixed  control)  mode  until  a  state  variable  again  exceeds 
the  threshold  value.  The  controller  is  again  imposed,  and  so  on.  The  values  of  the 
matrices  A  and  R  are  given  in  tables  1  and  2  (from  Schneider,  (1986)). 

Figures  1  4  show  open  loop  behavior  of  the  aircraft  at  0.9  Mach  and  20,000  feet 

altitude.  These  four  figures  show  the  time  dependence  of  the  8  state  variables  in 
response  to  four  different  fixed-control  conditions.  The  units  are  feet,  seconds  and 
degrees.  The  single  non-zero  control  function  is  fixed  at  +4  degrees  in  each  case, 
fn  figure  I  the  non-zero  control  is  the  right  horizontal  tail  (otherwise  known  as  the 
right  elevator);  the  right  flap  in  Figure  2;  the  canards  (operated  symmetrically)  in 
Figure  3;  and  the  rudder  in  Figure  4.  The  legend  of  the  symbols  for  the  figures  in 
this  section  appears  in  table  3. 

The  open-loop  dynamics  have  been  calculated  from  eq.(l)  by  a  simple  finite- 
difference  method.  The  Riccati  equation,  relation  (4),  must  be  solved  for  the 
closed-loop  calculation.  This  is  done  by  a.  backward  finite  difference  calculation. 
Then  eq.(l)  is  solved,  together  with  eq.(3),  by  finite  difference.  The  time  step 
size  for  all  finite  difference  calculations  is  0.001  second.  The  matrices  Sf  and  R  in 
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Figure  2:  Dynamic  open  loop  response  to  a  -M  degree  deflection  of  the  right  wing 
flap. 
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the  Riccati  equation  are  positive  semi-definite  while  V  is  positive  definite.  In  the 
numerical  calculations  to  be  discussed,  these  matrices  are  chosen  to  be  diagonal, 
with  equal  diagonal  elements.  The  diagonal  elements  of  R  equal  50 /// ,  of  V  equal 
2/ty  and  of  Sj  equal  0.25. 

Figures  1  and  2  show  substantial  similarity  in  the  effect  of  the  right  wing  flap 
and  the  right  elevator.  In  each,  a  +4  degree  deflection  results  in  appreciable  roll 
rate:  about  —30  degrees/sec  at  the  end  of  0.5  second.  The  elevator  produces  more 
pitching  motion  than  the  wing  flap.  The  other  state  variables  are  less  affected 
during  the  first  0.5  second. 

Figure  3  shows  the  dynamic  response  to  a  +4  degree  symmetrical  deflection  of 
the  canards.  The  roll  and  yaw  motions  are  strongly  induced,  while  the  longitudinal 
state  variables  are  completely  unaffected. 

Figure  4  demonstrates  the  response  to  a  +4  degree  deflection  of  the  rudder.  The 
yawing  moment  is  predominant,  and  the  rolling  moment  is  pronounced  and  reverses 
its  sign  after  about  0.4  second.  The  longitudinal  state  variables  are  unaffected. 

Figures  5  12  show  the  state  and  control  variables  in  four  different  closed-loop 

modes.  As  explained  above,  each  flight  is  initiated  in  the  open-loop  mode  with 
a  single  nori-zero  control  held  at  a  fixed  value  of  +4  degrees.  (This  initial  value 
of  the  control  is  not.  depicted  in  the  figures  because  it  is  far  off  scale.  Rather,  all 
the  control  variables  are  shown  as  initially  equal  to  zero).  In  figures  5  and  6  the 
non-zero  control  function  is  the  right  elevator;  in  figures  7  and  8  the  right  wing 
flap;  in  figures  9  and  10  the  canards;  in  figures  11  the  rudder. 

Figure  5  shows  the  dynamic,  closed-loop  response  to  an  initial  -f-4  degree  de¬ 
flection  of  the  right  elevator.  Rolling  and  pitching  moments  develop  quickly,  as  in 
figure  1.  However,  after  only  5  milliseconds,  the  absolute  value  of  the  roll  rate  ex¬ 
ceeds  the  threshold  of  0.5  for  triggering  the  controller.  The  controller  is  actuated, 
as  seen  in  figure  6,  for  0.15  second,  during  which  time  the  rolling  and  pitching 
moments  are  rapidly  reduced.  This  is  achieved  by  positive  deflections  of  canards 
and  the  rudder,  and  negative  deflections  of  the  right  wing  flap  and  the  left  and 
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right,  elevators.  The  left,  wing  flap  varies  from  positive  to  negative  values.  After 
completion  of  the  0.15  second  control  period,  the  control  functions  are  fixed  at 
their  last,  values  and  the  flight  is  continued  in  the  open-loop  (fixed-control)  mode. 

Figures  7  and  8  show  the  response  and  controls  when  the  initial  fixed-control 
perturbation  was  a  +4  degree  deflection  of  the  right  wing  flap.  The  dynamic  and 
control  responses  are  qualitatively  similar  to  those  shown  in  response  to  an  initial 
right,  elevator  deflection. 

Figures  9  and  10  show  the  dynamic  and  control  responses  to  a  +4  degree 
deflection  of  the  canards.  Strong  rolling  and  yawing  moments  develop  quickly, 
as  in  figure  3.  This  results  in  actuation  of  the  controller  after  0.022  seconds. 
Positive  right  flap  and  elevator,  positive  rudder  and  symmetrical  negative  left  flap 
and  elevator,  together  with  negative  deflection  of  the  canards,  result  in  reversal 
of  the  lateral  moments.  Note,  however,  that  the  control  period  terminates  (at 
0.172  second)  before  the  yawing  and  rolling  moments  are  completely  zeroed.  In 
the  fixed-control  period  a  negative  yaw  rate  develops,  resulting  in  re  activation  of 
the  controls  at  0.471  second. 

Figures  I  I  and  12  show  the  dynamic  and  control  responses  to  an  initial  positive 
deflection  of  the  rudder. 

4  Representing  Control- Actuator  Failure 

Our  aim  in  this  section  is  to  develop  a  convenient  formalism  for  representing  the 
measurements  of  a  linear  system  with  control  actuator  failure. 

The  dynamic  behavior  and  measurements  of  the  failure-free  linear  deterministic 
system  are  represented  as: 


dx 

It 

=  ^(0*(0  + 

(5) 

?/(0 

=  G(l)*(  0 

(6) 

where  x,  y  and  u  are  state,  measurement  and  control  vectors  of  dimensions  N,  L 
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Figure  1 1:  Dynamic  closed-loop  response  to  a  +4  degree  deflection  of  the  rudder. 
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and  M  respectively  and  A,  B  and  G  are  known  matrices.  The  system  is  regulated 
automatically  by  a  feedback  controller  proportional  to  the  state: 

«.(/.)  =  S{t)x{i)  (7) 

Let  us  now  consider  the  representation  of  J  control  actuator  failures.  The 
indices  of  the  failed  actuators  are  j  =  Oi ,  •  •  •  >  jj)-  When  a  malfunction  occurs 
in  the  ^th  control  actuator  its  normal  control  function,  Ujk (/),  is  replaced  by 
an  autonomous  expression,  Let  f(t)  be  an  M-element  vector  whose  j'^th 

element  is  the  autonomous  behavior  of  the  failed  j^th  actuator,  for  k  =  1 ,  .  . . ,  J, 
and  whose  other  elements  are  zero.  Let  7j  be  the  matrix  obtained  from  the  M  x  M 
identity  matrix  by  removing  each  of  the  J  rows  j  i, .. . ,  jj.  Thus  I\u(t)  is  a  vector 
of  length  M  -  J  obtained  by  removing  the  elements  from  the  nominal 

control  vector,  u(t).  Similarly,  Rl?  is  an  N  x(M  —J)  matrix  obtained  by  removing 
the  columns  j ,,...,  j  j  from  the  matrix  B.  (The  superscript  T  denotes  ii  atrix 
transposition.)  Using  this  notation,  the  dynamic  response  of  the  system  to  failure 
of  ./  actuators  whose  indices  are  j  is  described  by: 

=  /»(<)*(  0  +  Iju(t)  +  B(t)f(t)  (8) 

The  normal  algorithm  still  calculates  the  feedback  control  vector  from  eq.(7). 
However,  /)t  is  implemented  rather  than  u Combining  eqs.  (7)  and  (8)  yields: 

=  l^(o  +  »(‘)fjr  w>]  *(o  +  mm  o») 

'Fhe  sta  te  vector  x(l)  can  be  expressed  in  terms  of  a  transition  matrix  Arj,  which 
is  the  solution  of  the  following  differential  equation  (Bellman,  1974): 

^  =  [m  +  mtpismlw)  .  =  '  m 

Finally,  the  measurement  vector  in  response  to  failure  vector  /(/)  is: 

t 

y,(l)  =  <7(l).Yj(()*(0)  +  (7(()  |.Yj(l).Yr'(r)B(r)/(r)rfT  (II) 

0 
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5  Convex  Models  of  Malfunction  Uncertainty 

T  he  satisfactory  diagnosis  of  malfunction  depends  upon  prior  knowledge  of  the 
malfunction  phenomenon  as  a  whole.  However,  malfunction  is  often  so  complex 
that  one  is  unable  to  formulate  a  probability  measure,  defined  in  a  space  of  fail¬ 
ure  functions,  which  expresses  the  probability  density  for  occurrence  of  specific 
malfunctions.  On  the  other  hand,  partial  information  is  likely  to  enable  the  char¬ 
acterization  of  possible  malfunctions  in  set-theoretic  terms. 

In  a  set-theoretic  model  of  malfunction  the  failure  vector  /(/)  belongs  to  a 
set  of  malfunctions  which  all  share  some  g'abal,  phenomenological  property  in 
common.  For  example,  one  may  consider  failure  sets  of  step-like  functions  which 
occur  at  or  around  a  particular  time  er  ramp-like  functions  all  with  similar  slopes. 
Alternatively,  the  failure-functions  may  be  uniformly  bounded  and  of  extended 
duration,  or  may  be  transient  disturbances  of  bounded  total  energy. 

In  general,  the  failure  net  F(p ),  where  p  is  a  parameter  vector,  is  the  set  of 
vector-valued  functions  which  represent  all  realizable  failures  of  type  p.  It  is  often 
found  in  practice  that  the  information  available  for  characterizing  the  possible 
malfunctions  leads  naturally  to  assuming  F(p)  to  be  a  convex  set.  We  shall  assume 
our  failure  sets  to  be  convex,  and  refer  to  F(p)  as  a  convex  model  for  failures  of  type 
p.  The  adoption  of  a  convex  model  for  representing  the  variability  of  each  type  of 
failure  can  be  motivated  by  theoretical  considerations.  This  is  briefly  discussed  in 
the  Appendix. 

A  widely  used  convex  model  for  set-theoretic  representation  of  uncertainty  is 
based  on  assuming  that  the  functions  in  question  are  uniformly  bounded.  The 
failure  sets  are  defined  as: 

F{p)  =  {fT  =  (/l,  -  -  -  ,  /rtf)  :  Pn,  <  fm{t)  <Pm  , 

/  €  [0,  oo)  ,  m  =  1,2, . . . ,  M}  (12) 

where  p  —  (pt  ,pt,...,  pm,  pi\f)-  Thus  the  autonomous  (malfunctioning)  value  of  the 
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mth  control  function  varies  arbitrarily  between  pm  and  pm.  Usually  the  number 
of  actuator  failures  is  less  than  the  dimension  M  of  the  control  vector.  This  is 
represented  by  choosing  pin  =  pm  =  0  for  each  of  the  functioning  actuators. 

Eq.  (11)  maps  each  failure  vector  f{1)  in  F(p)  to  a  vector  y/(t)  in  measurement 
space.  Let,  C(p)  be  the  set  of  all  the  measurement  vectors  obtained  from  failures 
in  the  set  F(p).  That  is: 

C(p)  =  {y  :  y(t)  =  yf(1.)  for  all  /  €  F(p)}  (13) 

Wo  will  call  C(p)  the  complete,  response  set  for  failures  of  type  p. 

6  Benchmark  Diagnosis  Capability 

6.1  The  Concept  of  Benchmark  Diagnosis 

Malfunction  diagnosis'  is  based  on  distinguishing  between  response  sets  which  cor¬ 
respond  to  distinct  types  of  failure.  Response  sets  which  are  far  apart  will  be  easily 
distinguished,  while  malfunction  diagnosis  becomes  more  difficult  and  uncertain 
for  response  sets  which  are  closer  together.  Finally,  if  two  response  sets  C7(p)  and 
C(q)  overlap,  then  no  algorithm  will  be  able  to  distinguish  every  occurrence  of 
failure  of  type  p  from  every  occurrence  of  failure-type  q.  The  capability  for  mal¬ 
function  diagnosis  is  thus  ultimately  limited  by  the  overlapping  of  response  sets. 
The  disjointness  of  response  sets  determines  the  limiting  or  benchmark  malfunction 
diagnosis  capability.  This  benchmark  is  an  expression  of  the  failure  uncertainty 
characteristic  of  the  system  studied,  of  the  failure  environment  within  which  it 
operates,  and  of  the  knowledge  embodied  in  the  system  and  failure  models.  Im¬ 
proved  malfunction  diagnosis  can  be  obtained  only  by  modifying  the  system  or  its 
measurements  or  the  failure  environment,  or  by  augmenting  the  knowledge  with 
which  the  system  and  its  failures  are  modelled. 

'The  material  of  this  section  will  be  presented  at  the  IFAO  Conference  on  Advanced  Information 
Processing  in  Automatic  Control,  3  5  July  1989,  Nancy,  France.  (Ben-Haim,  1989a). 
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If  the  complete  response  sets  for  two  types  of  failures  are  disjoint  we  will  say 
that  the  failures  are  benchmark  distinguishable,  meaning  that  it  is  possible,  in 
principle,  to  distinguish  between  all  occurrences  of  these  failure  types.  On  the 
other  hand,  failure  types  whose  response  sets  intersect  are  said  to  be  benchmark 
indistinguishable ,  indicating  that  no  algorithm  can  distinguish  between  every  pos¬ 
sible  occurrence  of  these  failure  types.  Determination  of  the  benchmark  diagnosis 
capability  thus  involves  establishing  the  disjointness  or  intersection  of  response 
sets. 

The  disjointness  of  response  sets,  and  hence  the  benchmark  diagnosis  capabil¬ 
ity,  is  readily  formulated  by  using  a  hyperplane  separation  theorem  for  convex  sets 
(Rockafellar,  1970).  Let  C(p)  and  C(q)  be  non-empty,  closed  and  bounded  convex 
response  sets  in  a  finite  dimensional  Euclidean  space.  C(p)  and  C(q)  are  disjoint 
if  and  only  if  there  exists  a  hyperplane  P  such  that  C(p)  is  in  one  half-space  de¬ 
fined  by  P  and  C(q)  is  in  the  other  half-space.  This  theorem  can  be  expressed 
algebraically  as  follows: 

C(P)nC(q)  =  H  (14) 

if  and  only  if  there  exists  a  real  vector  w  such  that: 

max  u>Tc  <  min  uTd  (15) 

cCC(p)  dec(q) 

For  further  discussion  of  relations  14  and  15  see  Ben-llaim,  1985. 

The  disjointness  of  complete  response  sets  is  established  by  determining  the 
extremal  values  on  the  complete  response  sets  of  the  linear  function  u>Tx.  The 
complete  response  sets  C(p)  and  C(q)  are  images  of  the  failure  sets  F(p)  and 
F(q),  as  in  eq.  (13).  Consequently,  a  necessary  and  sufficient  condition  for  the 
disjointness  of  C(p)  and  (7(g)  is  the  existence  of  a  vector  uj  such  that: 

max  u)TVj,  <  min  uj1  vj,  (16) 

^F(r)  '  9  *€F(<,)  • 

This  relation  forms  the  basis  for  an  algorithmic  determination  of  the  disjoint¬ 
ness  of  response  sets.  The  algorithm  searches  for  a  vector  u  which  satisfies  relation 
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(16).  (It  is  sufficient,  to  search  on  the  unit  sphere  because  (16)  is  homogeneous 
in  uj.)  Disjointness  is  established  if  such  a  vector  is  found.  If  no  such  vector 
exists,  then  the  sets  intersect.  In  this  way  the  benchmark  malfunction  diagnosis 
capability  of  the  system  can  be  determined. 

6.2  Hyperplane  Separation  for  Uniformly  Bounded  Mal¬ 
functions 

The  benchmark  diagnosis  capability  is  based  on  determining  the  disjointness  of 
complete  response  sets  for  different  types  of  failure.  Each  complete  response  set 
C(p)  is  the  image  in  measurement  space  of  the  set  F(p )  of  possible  failures  of  type  p. 

The  failure  set  F(p)  represents  the  uncertainty  in  the  realization  of  failures  of  type 
p.  In  this  section  we  develop  the  hyperplane  separation  algorithm  for  determining 
the  disjointness  of  complete  response  sets  for  uniformly  bounded  actuator  failures. 

Consider  two  different  failure  sets:  F(p)  represents  the  failure  of  J  control  actu¬ 
ators  whose  indices  are  j  =  (j\, . . .  ,jj)  and  with  uniform  bounds  p  —  (pi,  Pi , . . .  ,Pm,Pm 
on  the  failure  functions.  F(q)  represents  the  failure  of  K  actuators  whose  indices 
are  k  =  (A:, , . . .  ,  kK)  with  uniform  bounds  q  =  (q\ ,  qt, . . . ,  q^,  <7m)  on  the  failure 
functions.  The  corresponding  complete  response  sets  are  C(p)  and  C(q),  as  de¬ 
fined  by  eq.  (13).  Our  aim  is  to  determine  whether  or  not  there  exists  a  vector  u 
satisfying  relation  (16). 

Let,  A  j(/)  and  ,Yj <(<)  represent  the  transition  matrices  for  the  two  types  of  fail¬ 
ure,  obtained  as  solutions  of  eq.  (10).  Note  that  the  transition  matrix  depends 
on  which  actuators  have  failed,  but  is  entirely  independent  of  the  uniform  bounds 
on  the  failed  actuators.  For  convenience  of  notation  define  Am(t,  r)  and  //m(<,  r) 
as  the  rath  columns  of  G{t)Xj(t)X^'  and  (7(/)A’jt  (fjAffc1  (t)B(t),  respec¬ 

tively.  Also  denote  y-  (t.)  —  G{l)  A'j(f)a:(0)  and  p£(t)  =  (7(<)A'k(f):r(0). 

Using  this  notation  one  finds  that,  for  an  arbitrary  <f>  €  F(p),  the  inner  product 
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uTy^  assumes  the  form: 


M  ‘ 

=  uTy?(t)  +  53  /  4>m{r)uT\m{tt  r)  dr 

m=I 


(17) 


Likewise,  for  an  arbitrary  element  ip  €  E(q),  the  inner  product  cuTy ^  becomes: 


w  2/v-  =  u 


M  ' 

7.Vk(0+53  hPm{r)uJTllm{t,T)dT 

m=  1  J 


(18) 


<pm{r) 


=  J  P” 

1  p„ 


Examination  of  eq.  (17)  shows  that  achieves  its  maximum  when  each 

<pm{T)  's  chosen  to  switch  between  its  extremal  values  as  u>T\m(t ,  r)  changes  sign. 

Specifically,  u)Ty $  is  maximized  by  choosing  the  elements  of  <p  as: 

,  uTXm(i,  r)  >  0  /i  q\ 

,  u>TAm(t,  r)  <  0  1  ’ 

Let  Dm+  and  /9m_  denote  the  subsets  of  [0,<]  for  which  ujTXm(t,  r)  is  non-negative 
and  negative,  respectively.  Thus: 

^€F(p) 

Pm  J  UTX  rn(t>T)dT  +  pm  J  UTX™(t,T)dT  (20) 

D  ttiT  H  m  — 

Similarly,  u)T  y ^  in  eq.  (18)  is  minimized  by  choosing  each  ipm{T )  as  a  switching 
function  which  follows  the  sign  changes  of  wT/xm(<,r).  Let  Am+  and  Am_  denote 
the  subsets  of  [0,  /]  for  which  u>T  pm{t,  r)  is  non-negative  and  negative,  respectively. 
Thus: 

min  =  wTT/^(t)  + 


M 

E 

m~l 


M 

E 

m=  1 


<7m  J  vTRm(t,  r)  dr  +  qm  J  a >T t)  d,T  (21) 

Am-f  Am- 

Relations  (20),  (21 )  and  (16)  together  define  a  necessary  and  sufficient  condition  for 
the  disjointness  of  C(p)  and  C(q),  and  hence  for  the  benchmark  distinguishability 
of  the  corresponding  failure  sets. 
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6.3  Example:  Actuator  Failures  in  AFTI/F16  Aircraft 

T  he  benchmark  malfunction  diagnosis  capability  has  been  evaluated  for  a  range 
of  uniformly  bounded  control  actuator  failures  in  the  AFTI/F16  aircraft  in  steady 
rectilinear  flight  at  0.9  Mach  and  20,000  feet  altitude.  The  8  state  variables  are: 
pitch  angle,  forward  velocity,  angle  of  attack,  pitch  rate,  bank  angle,  sideslip  angle, 
roll  rate  and  yaw  rate.  The  6  control  variables  are:  right,  and  left  horizontal  tails 
(elevators),  right  and  left  wing  flaps,  canards  (operated  symmetrically)  and  rudder. 
The  dynamics,  control  and  measurement  matrices  A,  B  and  G  are  constant  in 
time.  The  values  of  the  matrices  A  and  B  presented  in  tables  1  and  2  (from 
Schneider  (1986))  and  G  is  the  identity  matrix. 

The  system  is  controlled  by  an  automatic  regulator  whose  aim  is  to  restore 
the  state  variables  to  nearly  zero  values  by  applying  minimal  control  proportional 
to  the  state.  The  duration  of  the  control  period  is  fixed,  and  denoted  as  Ij.  The 
controller  minimizes  the  following  expression: 

*/ 

J  =  (xT S/x)tf  4-  J  {xT  Rx  +  uTVtt)  dt  (22) 

o 

With  this  formulation  it  can  be  shown  (Bryson  and  Ho,  1975)  that  the  control 
vector  is  given  by: 

u(t)  =  ~V~' BTS(l)x(t)  (23) 

where  the  gain  matrix,  S(<),  must  satisfy  the  following  differential  matrix  Riccati 
equation: 

—  =  -SA  -  AtS  +  SBV~'  BtS  -  R  (24) 

at 

with  the  endpoint  boundary  condition:  S{ij)  =  Sj. 

The  Riccati  equation  is  solved  numerically  by  backward  finite  difference  calcu¬ 
lation.  Fhe  eq.  (5)  is  solved,  together  with  eq.  (23),  by  finite  difference.  The  time 
step  size  for  all  finite  difference  calculations  is  0.001  second.  The  matrices  5/,  R, 
and  V  are  diagonal,  with  equal  diagonal  elements.  The  diagonal  elements  of  R 
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equal  50///,  of  V  equal  2///  and  of  Sj  equal  0.25.  The  duration  of  the  control 
period  is  /y  =  0.15  sec. 

Let  us  consider  two  failure  sets.  One  set,  F(p),  will  be  a  set  of  failures  in  the 
2nd  and  6th  control  actuators  (left  elevators  and  rudder).  Thus: 

P  =  (0,  0,  p2,  p2,  0,  0,  0,  0,  0,  0,  pR,  p6)  (25) 

We  will  choose: 

P2=P6  =  1°  ,  P2  =  P fi  =  2°  (26) 

Thus  F(p)  represents  all  failures  in  which  the  deflection  of  the  left  elevator  and 
the  rudder  vary  arbitrarily  and  independently  between  1°  and  2°,  while  all  the 
remaining  actuators  vary  according  to  the  nominal  feedback  controller. 

The  second  failure  set,  F(q),  is  a  set  of  failures  in  the  2nd  and  5th  control 
actuators  (left  elevators  and  canards).  Thus: 

q  =  (0,  0,  q7,  <?2,  0,  0,  0,  0,  <75,  7s,0,  0)  (27) 

We  will  assume  that: 

<?2  =  <72  +  1”  >  <7f>  —  <75  +  1°  (28) 

Thus  E(q)  represents  all  malfunctions  in  which  the  deflection  of  the  left  elevator 
varies  between  <72  and  q2  +  1”,  while  the  canard  deflection  varies  between  <75  and 
<7»  T  I n  ■ 

We  will  use  relation  (16)  to  determine  what  failure  sets  F{p)  and  F(q)  are 

benchmark  distinguishable,  as  a  function  of  the  values  of  q2  and  75.  The  real¬ 

time  identification  of  the  failure  sets  must  be  performed  in  a  very  short  duration. 
It  is  thus  of  particular  interest  to  determine  which  subsets  of  the  8-component 
measurement  vector  provide  benchmark  distinguishability  of  the  failure  sets. 

Figure  13  shows  part  of  the  (ja  versus  q2  plane.  Each  point  on  this  plane 
specifies  a  value  of  q7  and  of  qh  and  thus  specifies  the  parameter  vector  q,  defined 
by  eqs.(27)  and  (28).  Thus  each  point  represents  a  failure  set  F(q).  Those  failure 
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sots  represented  by  points  in  the  regions  marked  ‘D’  are  benchmark  distinguishable 
from  the  failure  set  F(p),  while  those  failure  sets  in  the  region  marked  ‘ND’  are 
not  benchmark  distinguishable  from  F(p),  where  p  is  defined  by  eqs.(25)  and  (26). 
Furthermore,  this  distinguishability  is  based  on  measurement  of  the  first  state 
variable  alone  (pitch  angle)  0.15  sec  after  onset  of  the  failure. 

Figures  14  to  20  also  portray  regions  of  benchmark  distinguishability  on  the 
<75  versus  q 2  plane,  for  measurement  of  a  single  state  variable  0.15  sec  after  onset 
of  failure.  The  state  variables  employed  in  Figures  14  to  20  are:  forward  velocity, 
angle  of  attack,  pitch  rate,  bank  angle,  sideslip  angle,  roll  rate  and  yaw  rate, 
respectively.  It  is  seen  that  the  benchmark  distinguishability  of  F(q)  from  F(p) 
obtained  by  measuring  any  one  of  the  following  state  variables  is  approximately 
the  same:  1st,  2nd,  4th,  5th  or  7th.  On  the  other  hand,  measurement  of  the  6th  or 
8th  state  variable  provides  benchmark  distinguishability  in  a  different  region  of  the 
plane,  while  measurement  of  the  3rd  state  variable  provides  little  distinguishability 
at  all. 

It  is  noted  that  most  of  these  single-measurement  examples  provide  bench¬ 
mark  distinguishability  for  roughly  half  of  the  range  of  failure  sets  F(q)  examined. 
Furthermore,  certain  pairs  of  measurements  provide  complementary  distinguisha¬ 
bility.  For  example,  the  regions  of  distinghuishability  with  the  2nd  (Figure  14) 
and  the  8th  (Figure  20)  state  variables  together  nearly  cover  the  entire  range  of 
(72,(75)  values  considered.  Figure  21  shows  the  regions  of  benchmark  distinguish¬ 
able  and  non  distinguishable  malfunctions  based  on  simultaneous  measurement 
(at  /  —  0.15  sec)  of  the  2nd  and  8th  state  variables.  It  is  evident  that  F(q)  and 
r(p)  are  benchmark  distinguishable  over  most  of  the  values  of  (72,75)  considered. 

Figure  22  shows  an  overlay  of  Figures  14  (small  dash),  20  (large  dash)  and  21 
(solid).  The  non-distinguishable  region  with  two  measurements  is  smaller  than  the 
intersection  of  the  non-distinguishable  regions  of  the  two  single  measurement  cases. 
'Thus  simultaneous  measurements  of  two  state  variables  provides  better  benchmark 
distinguishability  than  would  be  expected  from  each  state  variable  alone. 
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A  similar  phenomenon  is  observed  in  Figure  23,  which  shows  the  regions  of 
benchmark  distinguishablity  for  simutaneous  measurement  (at  t  —  0.15  sec)  of  the 
1st  (pitch  angle)  and  6th  (sideslip  angle)  variables  (solid  line).  Figures  13  (large 
dash)  and  18  (small  dash)  are  overlaycd  for  comparison.  The  non-distinguishable 
region  of  the  double  measurement  is  smaller  than  the  intersection  of  the  non  dis¬ 
tinguishable  regions  of  the  two  single  measurements. 

However,  this  mutual  improvement  is  not  obtained  in  every  case.  Figure  24 
shows  the  benchmark  performance  of  the  simultaneous  measurement  (at  t  =  0.15 
sec)  of  the  2nd  (forward  velocity)  and  7th  (roll  rate)  state  variables.  In  this 
case  the  region  of  two-measurement  benchmark  d istingu ishability  is  precisely  the 
intersection  of  the  two  single-measurement,  regions  (f  igures  14  and  19). 

These  examples  suffice  to  demonstrate  that  relation  (16)  provides  a  means  of 
identifying  efficient  combinations  of  state  variables  whose  measurement  enables 
reliable,  benchmark,  differentiation  between  distinct  failure  sets. 

6.4  Energy-Bounded  Failure  Functions 

The  uniform-bound  convex  model  is  by  far  the  most  widely  used  set-theoretical 
representation  of  uncertainty.  It  is  particularly  useful  to  describe  uncertainty  with 
uniform  bounds  when  the  failure  functions  are  roughly  constant  in  time.  For  in¬ 
stance,  the  deflection  uncertainty  of  nearly  hard  failures,  wherein  the  deflections  of 
the  failed  control  surfaces  flutter  around  fixed  values,  are  conveniently  represented 
by  uniform  bounds.  On  the  other  hand,  the  uncertainty  inherent  in  malfunctions 
which  involve  a  strong  transient  component  is  not  conveniently  represented  with  a 
uniform-bound  model.  A  variety  of  convex  models  can  be  employed  for  represent¬ 
ing  the  uncertainty  in  strongly  varying  malfunctions.  In  this  section  we  formulate 
one  such  model  and  derive  the  hyperplane  separation  criterion  for  benchmark  dis- 
tinguishabilit y  of  these  sets  of  failures 

The  energy-bound  convex  model  of  failure  uncertainty  is  formulated  as  follows. 
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Figure  2.1:  Regions  of  benchmark  distinguishabilily  of  P'(ij)  from  F(p)  for  simul 
tn neons  measurement  of  the  1st  and  6th  slate  variables  (solid),  and  for  singh 
measurement  of  the  Isl  (small  clash)  and  the  6th  (large  dash)  state  variable. 


6  BENCH M A RK  DIAGNOSIS  CA  PA  BIUTY 


\1 


Consider  malfunction  of  .1  actuators,  whose  indices  are  j  =  (ji ,  •  -  ■ ,  jj)-  Let  /(<) 
be  an  ^/-element  vector  whose  j’^th  element  represents  the  autonomous  behavior 
of  the  failed  j\th  adulator,  for  k  =  and  whose  other  elements  are  zero. 

Let  E  be  a  postive  number  and  /(/)  a  specified  vector  function  whose  elements, 
other  than  the  element  are  zero.  The  set  of  possible  control  actuator 

failures  is: 

F(/,B)=j/:  /  (/M  -  Rt))T  (/(t)  -  /»)  dr  <  F,  j  (29) 

The  elements  of  F(f,  E)  are  vector  functions  whose  elements  /j, , ...,/ deviate 
from  /(/)  with  an  energy  not  exceeding  E.  (It  is  implicitly  understood  in  the 
definition  of  /'’(/,  E)  that  the  M  —  J  other  elements  of  /  are  identically  zero). 

Let  /'  (/,  E\ )  be  a  set  of  energy-bounded  failures  in  actuators  j  =  (ji,  . . . ,  jj), 
and  let  F(g,  /1'2)  be  a  set  of  energy-bounded  failures  in  actuators  k  =  (hi, . .  . ,  kj). 
Let  Arj (t)  and  A'ic(<)  be  the  corresponding  transition  matrices. 

From  the  discussion  in  section  6.1  it  is  evident  that  every  failure  in  F(/,  #1) 
can  be  distinguished  from  every  failure  in  F(g,  /?2),  and  thus  these  failure  sets  are 
benchmark  distinguishable,  if  and  only  if  there  exists  a  vector  u  such  that: 

max  uJTVf  <  min  u>Tya  (30) 

/6f(/,/5 1)  g€F(i),E7) 

We  now  proceed  to  develop  explicit  expressions  for  these  extrema.  Let  j/?(/)  and 
;/£(/)  defined  as  before  and  define: 

^j(/,r)  =  f?(0A'j(f)A7l(r)/?(r)  (31) 

*k(<,r)  =  f7(0A’k(0Afk-,(r)fl(r)  (32) 

Then,  for  /  €  F(f,  #,), 

t 

u>7yj{l)  =  u;7j/J(/)  +  j  w7>j(f,  r)/(r)dr  (33) 

0 
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l 

=  ^Ty°j(i)  +  J uTWj(t,  t )  (/(r)  -  /(r))  dr 
o 

t 

+  J  UJTtyj(t,T)f(T)dT  | 

0 

Likewise,  for  g  €  F{g,  #2), 

e 

^Vgi1)  =  wTi£(f)  +  J  uT*v(t,  r)  ( g(r )  -  <?(r))  rfr 

o 

t 

+  J  wT'Pk((,r).g(r)(/r  I 

0 

Let  u(l)  and  v{t )  bo  vector  functions.  The  Cauchy  inequality  asserts  that: 

( uTv )2  <  (uTw)(uTu)  | 


with  equality  if  u  is  proportional  to  v  (Hardy,  Littlewood  and  Polya,  1952).  The 
Schwarz  inequality  asserts  that: 


(y j  \/uTu\/vTv  dtj  <  J  uTudi  J  vTvdt 


with  equality  if  v  uTu  is  proportional  to  V vTv.  Thus, 


with  equality  if  n  is  proportional  to  v.  By  a  similar  argument  one  finds  that 


again  with  equality  if  u  is  proportional  to  v. 

We  now  apply  relation  (38)  to  eq.(31)  to  find  the  maximum  of  wTyf.  The 
function  /  can  be  chosen  from  F(f,E\)  so  that  /  —  /  is  proportional  to  'Pjw. 
Because  /  belongs  to  E(f,E])  the  energy  of  deviation  of  /  from  /  equals  E\. 
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Employing  these  considerations  and  relation  (38)  one  finds  the  maximum  of  the 
expression  in  eq.(34)  to  be: 

t 


max  u) 
feFU,FA) 


'  37/(0  =  uTy°j(l)  +  y,wT'4'j(<,r)/(r)rfr 


+  sJE 


V 


l 

J  T)uidr 


(40) 


By  a  similar  argument  one  finds  that  the  minimum  of  uTyg  is: 

t 

lin  uTya(t)  =  wT^(0  +  /wr'l>k(<)r).9(r)rfT 
(§,  K2)  J 


inm 

<7er(fl 


-  yJF, 


I 

J  wT'J'k(t,r)t£(i,r)u;dr  (41) 


Now  eqs.(40)  and  (41)  can  be  combined  with  relation  (30)  to  obtain  an  expres¬ 
sion  for  the  necessary  and  sufficient  condition  for  the  benchmark  distinguishability 
of  F(f,  Ex)  from  F{g,E2). 


6.5  Benchmark  Diagnosis:  Conclusions 

Two  types  of  failures  each  represented  by  a  failure  set  —  are  benchmark  dis¬ 
tinguishable  if  the  corresponding  response  sets  are  disjoint.  Benchmark  distin¬ 
guishability  means  that  it  is  possible,  in  principle,  to  distinguish  between  these 
two  failure  types  in  all  their  possible  manifestations.  On  the  other  hand,  no  algo¬ 
rithm  can  distinguish  between  every  possible  manifestation  of  failures  belonging 
to  failure  sets  which  are  benchmark  indistinguishable.  This  report  has  developed 
a  method  for  evaluating  benchmark  distinguishability  for  control  actuator  failures. 
The  following  conclusions  and  implications  can  be  identified. 

1.  The  benchmark  distinguishability  or  a  system  assesses  the  malfunction  di¬ 
agnostic  capability  inherent  in  the  system.  It  does  so  by  exploiting  fragmentary 
information  about  the  range  of  possible  failures.  This  is  important  since  detailed 
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knowledge  about  failure  systematic^  —  such  as  required  in  formulating  a  proba¬ 
bilistic  model  of  malfunction  is  rarely  available. 

2.  Benchmark  distinguishability  is  a  conservative  assessment  of  the  malfunc¬ 
tion  diagnostic  properties  of  a  system,  in  the  following  sense.  Two  failure  sets 
are  benchmark  indistinguishable  even  if  “most”  but  not  all  of  the  (infinity)  of 
failures  in  each  set  are  distinguishable.  On  the  other  hand,  this  conservatism  can 
be  balanced  by  evaluating  the  benchmark  distinguishability  of  failure  sets  whose 
complete  distinguishability  is  essential  for  successful  malfunction  management. 

3.  Malfunction  diagnosis  is  often  formulated  as  a  multi-hypothesis  decision 
problem.  In  the  multi-hypothesis  approach  the  observed  behavior  of  the  system 
is  compared  against  the  behavior  expected  from  each  of  a  finite  set  of  postulated, 
archetypical  failures.  The  performance  of  a  multi-hypothesis  algorithm  for  mal¬ 
function  diagnosis  is  limited  by  the  disparity  between  its  finite  set  of  hypothesized 
malfunctions  and  the  infinity  of  possible  failures.  In  section  7  we  develop  a  method 
for  evaluating  the  ability  of  a  multi-hypothesis  algorithm  to  distinguish  between 
convex  failure  sets.  Viewed  from  the  perspective  of  multi-hypothesis  diagnosis, 
the  benchmark  diagnosis  capability  of  a  system  is  seen  to  express  the  malfunc¬ 
tion  diagnosis  performance  which  would  be  obtained  with  a  judiciously  chosen 
arid  infinite  selection  of  failure  hypotheses  (in  the  absence  of  noise).  As  such,  the 
benchmark  capability  provides  a  limiting  measure  of  performance  against  which 
the  diagnostic  capabilities  of  a  finite  algorithm  can  be  compared. 

4.  It  is  important  to  stress  that,  while  the  benchmark  distinguishability  can  be 
viewed  as  the  performance  of  an  infinite  dimensional  multi-hypothesis  algorithm, 
the  benchmark  distinguishability  is  not  evaluated  numerically  as  the  limit  of  a 
sequence  of  finite  designs.  This  would  be  impractical.  Rather,  the  benchmark 
distinguishability  is  evaluated  very  simply  for  additive  failures  in  linear  systems  by 
exploiting  the  convexity  of  the  failure  and  response  sets.  The  geometric  concept  of 
hyperplane  separation  leads  directly  to  a  sequence  of  linear  optimization  problems 
whose  result  is  the  determination  of  the  benchmark  diagnosis  capability. 
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5.  Application  of  t  he  concept  of  benchmark  distinguishability  to  the  diagnosis 
of  control  actuator  failures  in  linear  flight  of  an  AFTI/F16  aircraft  leads  to  the 
conclusion  that  measurement  of  even  a  single  state  variable  can  provide  substantial 
malfunction  diagnostic  capability.  Furthermore,  the  benchmark  analysis  of  the 
single- measurement  diagnosis  led  to  the  identification  of  double  measurements 
whose  diagnostic,  capability  is  fairly  comprehensive. 

6.  Finally,  it  must  be  stressed  that  the  concept  of  benchmark  distinguishability 
is  not,  in  itself,  a  method  for  malfunction  diagnosis.  Rather,  benchmark  distin¬ 
guishability  provides  a  measure  of  the  malfunction  diagnosis  capability  which  is 
inherent  in  the  system  being  controlled.  As  such,  benchmark  distinguishability 
can  serve  as  an  objective  quantitative  aid  in  the  design  of  a  malfunction  diagnosis 
algorithm. 

7  Multi- Hypothesis  Malfunction  Distinguishabil¬ 

ity 

7.1  Formulation  of  Multi-Hypothesis  Diagnosis 

In2  this  subsection  we  state  the  maximum-likelihood  multi-hypothesis  approach  to 
diagnosing  additive  failures  in  linear  dynamic  systems  and  formulate  the  problem 
to  be  studied,  bet  /(/)  be  a  vector  function  representing  a  specific  control-actuator 
malfnntion,  and  let  ifj(t)  represent  the  average  measured  system  response  to  /(/). 
Because  the  system  is  linear  and  the  failure  is  additive,  y/(f)  is  an  affine  transfor¬ 
mation  of  /(/).  (The  specific  form  which  i//(<)  assumes  for  control  actuator  failure 
will  be  discussed  later.)  Throughout  the  report  we  let  E1'  represent  a  Euclidean 
space  of  dimension  L  to  which  measurement  vectors  y  belong,  bet  p(y\f)  be  the 
conditional  probability  density  of  the  system  response  given  a  malfunction  /.  We 
shall  assume  that  p(y\f)  decreases  monotonically  with  a  norm  of  y  —  yj.  This  re- 

7’1  hr  results  of  section  7  will  appear  in  the  MA  A  Journal  of  Guidance,  Control  and  Dynamics, 
Ren-llaim  ( 198%). 
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quiremcnt  is  fulfilled,  for  example,  if  p(y\f)  is  a  multivariate  Gaussian  density  and 
if  the  square  of  the  norm  of  y  is  yTVj~]y,  where  Vj  is  the  covariance  matrix  of 
y  given  malfunction  /.  The  superscript  T  implies  matrix  transposition.  Different 
norms  can  be  defined  with  respect  to  different  malfunctions,  for  example  if  the 
covariance  matrix  depends  on  the  malfunction.  We  denote  the  various  norms  as 
follows.  An  inner  product  of  elements  x  and  y  in  E1',  with  respect  to  the  mal¬ 
function  /,  is  denoted  [x,y\f.  Our  only  assumption  regarding  this  inner  product  is 
that  [x,j/]V2  is  a  norm,  which  will  be  denoted  |j  x  \\j  . 

Many  distinct  classes  of  actuator  failures  can  occur:  single  or  multiple  failures; 
locked  surfaces  or  widely  varying  surface  deflections.  In  an  important  class  of  mal¬ 
functions  the  affected  control  surfaces  fail  to  trail  the  control  commands.  Instead, 
these  control  surfaces  deflect  autonomously.  The  failure  vectors  /(<)  are  assumed 
to  belong  to  a  set  of  uniformly  bounded  but  otherwise  freely  varying  functions. 
The  failure  sets  are  defined  in  section  5  as: 


f(p)  =  UT  =  (/ . ./«()  :  Prn  <  /m(<)  <  Pm  ,  I  £  [0,  (X>)  ,  TO  =  1 , .  .  .  ,  M } 

(42) 

where  p  —  (pi ,  i>\ ,  • . . ,  Pm ,  Pm)-  Thus  the  autonomous  value  of  the  mth  control 
function  varies  arbitrarily  in  time  between  pm  and  pm.  Usually  the  number  of  ac¬ 
tuator  failures  is  less  than  the  dimension  of  the  control  vector.  This  is  represented 
by  choosing  pm  =  pm  =  0  for  each  of  the  functioning  actuators.  F(p)  will  be 
referred  to  as  the  failure,  net  for  malfunctions  of  type  p.  The  set  F(p)  is  convex. 

bet,  F(p' ),...,  F(pK)  be  disjoint  failure  sets  and  let  //*  be  a  finite  collection  of 
malfunctions  chosen  from  F(pk),  for  k  =  1 , . . .  ,  K.  Let  //  =  U^_,  Ilk ■  A  maximum- 
likelihood  multi-hypothesis  algorithm  for  malfunction  diagnosis  is  based  on  the 
collection  II  of  vector  functions  representing  hypothesized  malfunctions.  Having 
obtained  a  measurement,  ?/,  the  algorithm  seeks  a  hypothesized  malfunction  hmi  € 
II  which  satisfies: 

II  !/»„,  -  v  IIL=  sv;  II  IIS 


(«) 
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The  function  hm\  is  most  likely  to  he  the  system  condition  which  caused  the  mea¬ 
surement  y,  because  p(y\h)  decreases  rnonotonically  with  jj  y  —  yh  ||/,  . 

Given  failure  sets  F(pl), . . . ,  F(pK)  and  given  sets  of  hypothesized  malfunc¬ 
tions  If If k,  we  will  say  that  failures  of  type  pk  are  correctly  diagnosed,  if 
every  failure  in  F{pk)  is  ascribed  by  the  multi-hypothesis  algorithm  to  a  hypoth¬ 
esized  failure  in  Ilk-  A  collection  II  =  u£_,  Ilk  of  malfunction  hypotheses  is  robust 
if  the  failure  sets  F(pl), . . . ,  F(pK)  are  correctly  diagnosed.  A  robust  collection 
II  of  malfunction  hypotheses  is  efficient  if  no  smaller  set  of  hypotheses  is  robust. 
The  problem  to  be  studied  here  is  to  develop  a  computationally  feasible  method 
for  determining  whether  or  not  a  given  set  of  hypothesized  malfunctions  is  ro¬ 
bust.  This  determination  forms  the  basis  for  searching  for  an  efficient  collection 
of  hypotheses. 

An  important  simplification  occurs  when  the  norms  ||  -  j|ht  are  the  same  for  all 
hypothesized  malfunctions.  An  example  is  developed  in  section  7.3  for  actuator 
failures  in  an  open-loop  linear  system. 

7.2  Representing  Uniformly  Bounded  Control- Actuator  Fail 
ures 

Our  aim  in  this  section  is  to  develop  a  convenient  formalism  for  representing 
the  measurements  of  a  closed-loop  linear  system  with  uniformly  bounded  control- 
actuator  failure.  The  main  result  of  this  section  is  eq.(55),  which  is  an  expression 
for  the  complete  response  set.  Several  relations  from  section  \  have  been  repeated 
for  convenience. 

Consider  the  failure-free  dynamic  system: 

-  A*(0  +  Bu(i)  +  v^t)  (44) 


y(l)  =  Gx{i)  +  V2(l.) 
U{1.)  =  S{t)x{f.) 


(45) 

(46) 
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where  x,  y,  and  u  are  stale,  measurement,  and  control  vectors  of  dimension  N ,  L 
and  Af,  respectively,  and  u2  are  zero-mean  white  Gaussian  noise  vectors  with 
known,  constant  covariance  matrices,  and  /!,  R  and  G  are  known  constant  matri¬ 
ces.  The  choice  oT  the  feedback  gain  matrix  S{t)  is  immaterial  to  our  discussion. 

bet  us  now  consider  the  representation  of  .7  control  actuator  failures.  The 
indices  of  the  failed  actuators  are  j  =  (/, , . . . ,  jj).  When  a  malfunction  occurs 
in  the  jit  I  h  control  actuator  its  normal  control  function,  v,t  (/),  is  replaced  by 
an  autonomous  expression,  bet  /(<)  be  an  M-element,  vector  whose  j\th 

element  is  the  autonomous  behaviour  of  the  failed  jfct,h  actuator,  for  k  =  1 , . . . ,  J, 
and  whose  other  elements  are  zero,  bet  7j  be  the  matrix  obtained  from  the  M  x  M 
identity  matrix  by  removing  each  of  the  .7  rows  j\,  -  ■  ■  ,jj-  Thus  Iju(l)  is  a  vector 
obtained  by  removing  the  elements  j\,  ■  ■  ■ ,  jj  from  the  nominal  control  vector, 
«(/).  Similarly,  77/?  is  an  N  x  (A/  —  ./)  matrix  obtained  by  removing  the  columns 
from  the  matrix  R.  Using  this  notation,  the  dynamic  response  of  the 
system  to  failure  of  .7  actuators  whose  indices  are  j  is  described  by: 
dr 

—  =  Ax(i)  +  Rif  Iju(l)  4-  /?/(t)  +  w,(0  (47) 

The  normal  control  algorithm  still  calculates  the  feedback  control  vector  from 
eq.(lfi).  However,  is  implemented  rather  than  Combining  eqs.(46) 

and  (17)  yields: 

J  =  [a  +  «// W))  *(<)  +  «/(/)  +  »,(/)  («) 

T  he  state  vector  x{l.)  can  be  expressed  in  terms  of  a  transition  matrix  A'j(/), 
which  is  the  solution  of  the  following  differential  equation  [14]: 

~i  =  \A  +  B//'/jS(0]  .Vj(0  ,  Yj(0)  =  /  (19) 

Finally,  the  measurement  vert or  (with  noise)  in  response  to  failure  vector  /(/)  is: 

t 

?//( 0  “  G’.Vj(/).r(0)  4  a  J  Vj(0  A’j_,(r  )(77/(r)  4  u,(r))r7r  +  v7(t.)  (50) 

o 
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Unless  S(l)  —  0  ((he  open  loop  case)  the  transition  matrix,  A'j,  depends  on  which 
actuators  are  malfunctioning,  so  the  covariance  matrix  of  yj  depends  on  the  fail¬ 
ure,  Consequently  the  quadratic  norm,  based  on  the  covariance  matrix  of  the 
measurement,  varies  with  the  failure. 

The  failure  set  for  malfunctions  of  type  p  is  /'  (/>),  as  in  eq.(42).  Each  failure 
/(/)  in  F(p)  is  mapped  to  an  average  measurement  vector  y/(t)  (without  noise) 
in  measurement  space  (eq.(T)fl)  with  ?>|  =  v2  =  0).  Let  C(p)  be  the  set  of  all  the 
average  measurement  vectors  obtained  from  failures  in  the  set  f'(p).  That  is: 

('{p)  ~  {v  ■  y{ 0  =  ?//( 0  r«>r  all  /  e  F{p)}  (51) 

We  will  call  C (p)  the  complete  response  set  for  failures  of  type  p.  Since  the  failure 
set  F(p)  is  convex,  the  response  set  C(p)  is  likewise  convex  because  yj{t)  is  an 
affine  transformation  of  /. 

It  is  more  convenient,  however,  to  define  C(p)  in  terms  of  its  boundary.  Define 
the  constant  failure  vector  p  —  (pi , . . . ,  p/»f),  where  pm  =  ( pm  +  pm)/2  for  m  = 
I Let  y[t)  be  the  average  response  to  the  constant  failure  p,  so  y(t)  =  r/p(t). 
That  is, 

i 

!/(<)  =  O-Vj(l)*(0)  +  <1 J  -Vj(().Vj-'(r)flpcfT  (52) 

0 

Let  /'*(p)  be  the  set: 

rip)  =  {/’  =  (/, . /„)  :  |/„(l)l  <  *=^=4  (53) 

Every  element  y  in  F(p)  can  be  expressed  as  y  =  p  +  /  where  /  belongs  to  F*[p). 
Thus  the  response  to  y  can  be  expressed  as  the  sum  of  the  response  to  p  and  the 
response  to  /.  Let  ty(l,  r)  —  (VA'j^A'r1  (r)/L  Now  the  response  set  C(p)  can  be 
expressed  as: 

(,{p)  -  j?/  •  ?/  “  ?/( 0  L  J  V{t,  t)J(t)  dr  for  /  €  F‘(p)  |  (51) 
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C(p) 

Figure  25:  II lustration  of  the  procedure  Tor  finding  boundary  points  of  C(p). 

From  this  expression  it  is  evident  that  C{p)  is  convex,  contains  the  point  y{l)  and 
is  symmetric  with  respect  to  inversion  through  y(t).  Also,  every  element  of  C(p) 
can  be  expressed  as  y  =  y(t)  +  np(ui)uj  where  w  is  a  unit  vector  in  the  direction 
from  y  to  y,  p( o')  is  the  distance  along  u>  from  ij  to  the  boundary  of  C(p)  and 
0  <  rv  <  I.  ' I' 1 1 a i  is,  the  complete  response  set  can  be  represented  as: 

C(p)  ~  {?/  :  y  =  ?/(/)  +  ap(u>)u>  ,  0  <  or  <  I,  ujTui  =  I  J  (55) 

IV)  evaluate  the  radius  function  p{u>)  we  must  first  identify  the  elements  of  /•'* 
which  generate  the  boundary  points  of  C{p).  bet  <f)  be  a.  vector  in  Fs L .  For  a  given 
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/  €  L'*{p),  the  set  of  points  z  which  satisfy: 


<frrz  =  4>r  t)!(t)  dr 


(56) 


constitutes  a  plane  in  EL  through  the  point  yj  and  perpendicular  to  <fr,  as  shown 
by  the  line  L i  in  Figure  25.  The  distance  of  this  plane  from  y  is: 

‘  I 

(57) 


lis(»/,  V)  =  \V  J'Ht,  dr 


This  distance  varies  as  /  varies  on  the  set  F*.  That,  element  of  F *  which  maximizes 
dis(yy,  y)  defines  a  boundary  point  of  (7(p),  denoted  BP  in  Figure  25.  Let  V'm(L  r) 
represent  the  mth  column  of  r).  Then  dis(y^,  y)  is  maximized  on  F*  when  the 
elements  of  the  vector  /  arc  chosen  as3 


fm{r\<f>)  = 


Pm 


sgn(#TV>m((,  r))  , 


(58) 


where  sgn(z)  =  ±1,  matching  the  sign  of  x.  Boundary  points  of  C(p)  are  now 
represented  as: 

( 

V{U  <f>)  =  y( 0  +  j  r)/(r ;  <£)  dr  (59) 

o 

where  f(r;<f>)  in  this  expression  is  defined  in  eq.(58).  Distinct  boundary  points 
are  obtained  by  varying  <f>.  Each  boundary  point  in  turn  defines  a  value  of  the 
radius  vector.  For  each  <)>  the  radius  of  C(p)  along  direction  u>  =  y{t\<j))  —  y(t ) 
is  v u>Tu),  which  can  be  tabulated  numerically  as  a  function  of  the  direction  u. 
Let  p( uj)  represent  this  tabulation.  The  argument  of  p  need  not  be  a  normalized 
vector,  but  we  will  adopt  the  convention  that,  for  any  scalar  ce,p[a u>)  =  |o:|p(u>) 
and  that  p(ut)  precisely  equals  the  radius  of  C(p)  along  u>  when  u>  is  a  unit  vector. 

3  A  similar  maximization  problem  is  discussed  in  rqs.(tvl)  (68),  to  which  the  reader  is  referred 
for  justification  of  eq.(58). 
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7.3  Designing  the  Multi-Hypothesis  Diagnosis  of  Open- 
Loop  Malfunctions 

In  the  absence  of  feedback  in  the  control  loop  (S(t)  =  0  in  eq.(46)  and  ?/(<)  is 
independent  of  z)  the  transition  matrix,  eq.(49),  is  independent  of  the  malfunc¬ 
tion.  Consequently  the  quadratic  norm  based  on  the  covariance  matrix  of  the 
measurement  does  not  depend  on  the  failure.  Determination  of  the  robustness 
of  a  collection  If  of  hypothesized  malfunctions  can  be  based  on  the  solution  of  a 
sequence  of  linear  optimization  problems,  as  shown  in  this  section. 

As  in  section  7.1,  let  If  =  u£_,  //*  be  the  complete  set  of  hypothesized  mal¬ 
functions.  Let  g  and  h  belong  to  H,  and  define  the  minimum  relative  norm  on 
CV)  w'*h  respect  to  g  and  h  as: 

fh{g,  h)  =  min  (||  yg  -  y  ||2  -  ||  yh  -  y  ||2)  (60) 

»ec7(p‘) 

If  1\{g,  h.)  is  positive,  then  every  occurrence  of  failure  of  type  pk  will  be  ascribed 
to  hypothesized  malfunction  h  rather  than  to  g.  It  is  evident  from  the  definition 
of  correct  diagnosis  that  failures  or  type  pk  are  correctly  diagnosed  if,  for  each 
g  €  II  —  Ilk,  there  is  an  element  h  €  Ilk  such  that 

Dk(g,h)>  0  (61) 

This  means  that,  for  every  failure  in  F(pk),  no  hypothesis  outside  // *  will  be  chosen 
by  the  multi-hypothesis  algorithm.  Consequently  type  pk  failures  will  be  correctly 
diagnosed. 

Kxpariding  the  norms  in  eq.(60)  in  terms  of  the  inner  product,  one  finds: 

lh{g,  h)  =||  yg  ||2  -  ||  yh  ||2  -2  max :  [yg  -  yh,  y)  (62) 

I  he  maximum  on  the  righthand  side  does  in  fact  exist  since  \yg  —  yh,  y|  is  a  linear 
(and  thus  continuous)  function  from  the  compact  set  C{pk)  to  the  real  numbers. 
Consequently,  determination  of  the  correct  diagnosis  of  failure  type  pk  is  based  on 
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evaluating  the  maximum  of  the  linear  function  [ yg  —  yh,y]  on  C(pk),  for  each  g 
and  h  in  H .  Eq.(43)  indicates  that  the  multi-hypothesis  algorithm  itself  evaluates 
a  quadratic  expression  in  y.  The  adequacy  of  a  linear  expression  for  determining 
correct  diagnosis  derives  from  the  fact,  expressed  in  eq.(60),  that  correct  diagnosis 
is  established  by  comparing  norms  which  are  independent  of  the  hypothesized 
malfunctions. 

7.4  Example:  Designing  Multi-Hypothesis  Diagnosis 

To  illustrate  this  analysis,  we  consider  part  of  the  design  process  for  constructing 
a  maximum-likelihood  multi-hypothesis  algorithm  for  diagnosing  control  actuator 
failures  in  AFTI/F16  aircraft  in  steady  open-loop  flight  at  0.9  Mach  and  20,000  feet 
altitude.  The  dynamic  behavior  and  measurements  of  the  failure-free  linear  system 
are  represented  by  eqs.(44)  (46)  with  S(t)  —  0.  The  8  state  variables,  in  order  of 
their  appearance  in  x,  are:  pitch  angle,  forward  velocity,  angle  of  attack,  pitch 
rate,  bank  angle,  sideslip  angle,  roll  rate  and  yaw  rate.  The  6  control  variables,  in 
order  of  their  appearance  in  ?/,  are:  right  and  left  horizontal  tails  (elevators),  right 
arid  left  wing  flaps,  canards  (operated  symmetrically)  and  rudder.  These  control 
variables  are  zero  in  steady  open-loop  flight,  but  vary  automatically  after  failure. 
G  is  the  8x8  identity  matrix  and  the  values  of  A  and  B  are  presented  in  tables 
(1)  and  (2). 

We  will  now  develop  an  explicit  expression  for  the  maximum  in  eq.(62).  f yet 
the  initial  state  vector  be  x(0)  =  0.  From  eqs.(41)  and  (45)  one  finds  the  average 
response  to  the  malfunctioning  control  vector  u  to  be: 

t 

yH{t)  =  J  GrMt~T)  Bu(t)  dr  (63) 

0 

bet  the  inner  product  take  the  form  (x,  ?/]  =  xTV~'y,  where  l'  is  the  covariance 
matrix  of  the  response  vector.  Also,  let  Am(/,  r)  be  the  mth  column  of  the  matrix 
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V  '(7e4(<  t)B.  Lot  6(<)  =  yg(i )  -  yh{t)-  Then  one  finds: 

M 

[ya( 0  -  Vh{t),  y.(01  =  E 

m  =  I 

Examination  of  eq.(64)  shows  that  the  mth  integral  achieves  its  maximum  when 
«m(r)  is  chosen  to  switch  between  its  extremal  values  as  8(t)T  Xm(t,  r)  changes  sign. 
Specifically,  eq.(61)  is  maximized  by  choosing  the  elements  of  u  as: 

«m(T )  =  Pm  for  8(i)T  Xm(t,  r)  >  0  (65) 

=  f>m  for  8(t)T  Xm(t)  r)  <  0  (66) 

Let  Dm+  and  Dm-  denote  the  subsets  of  the  interval  [0,  i ]  for  which  8(i)T  Xm(t,  r) 
is  non-negative  and  negative,  respectively.  Thus  the  maximum  value  of  the  inner 
product  becomes: 


J  8(t)T Xrn{l,T)utn{T)dT  (64) 

o 


max 

«6F(p‘) 


M) 


Vh(i),  y„(0] 


M 


m  =  l 


M 

E 

m~  1  ^ 


pm  J  8(t)TXm(t,T)dT  +  pm  J  8(i)TXm(i,r)dr\  (67) 

Om+  Dm-  ) 

j 4(()TA»((iT)dr+E»^f=y  |4(,)rAn.((i  T)| 


Fhe  minimum  relative  norm  on  C(pk)  with  respect  to  g  and  h  is  obtained  by 
substituting  eq.(68)  in  eq.(62).  We  are  now  able  to  determine  whether  or  not  a 
given  collection  of  hypothesized  malfunctions  is  robust. 

The  starting  point  for  selecting  hypothesized  failures  is  specification  of  the 
failure  sets  which  must  be  correctly  diagnosed.  Identification  of  a  robust  and 
efficient  set  of  hypothesized  malfunctions  is  then  an  iterative  process.  At  least 
one  hypothesis  must  be  included  in  II  for  each  failure  set  which  is  to  be  correctly 
diagnosed.  Given  an  initial  choice  of  //,  eqs.(62)  and  (68)  arc  used  to  determine 
whether  or  not  the  required  failure  sets  are  correctly  diagnosed.  Elements  of  //  are 
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then  modified  and  new  elements  are  included,  until  correct  diagnosis  is  attained 
for  each  specified  failure  set. 

The  procedure  for  determining  the  robustness  of  a  given  set  of  hypotheses  can 
be  inverted,  in  part,  to  aid  in  the  search  for  hypothesized  malfunctions.  A  simple 
numerical  example  will  illustrate  this  analysis.  Suppose  it  is  desired  to  correctly 
diagnose  malfunctions  of  failures  in  the  second  and  fifth  control  functions  (left  el¬ 
evator  and  canards),  when  these  control  surfaces  are  deflecting  autonomously.  For 
graphical  simplicity  we  will  select  hypothesized  malfunctions  h;  which  are  constant 
in  time  and  non-zero  only  in  the  second  and  fifth  elements.  Thus  hypothesized 
malfunctions  can  be  represented  as  points  in  the  plane,  where  the  horizontal  and 
vertical  coordinates  are  the  second  and  fifth  elements  of  the  failure  vector, 
and  fin  respectively.  Three  hypothesized  malfunctions,  /ii,/i2  and  h3  have  been 
included  in  II  to  diagnose  other  failures,  as  shown  in  Figure  26.  It  is  now  desired 
to  select  the  minimum  set  of  hypotheses  needed  to  assure  correct  diagnosis  of  left 
elevator  and  canard  deflections  between,  for  example,  0.6°  and  0.8".  Let  us  denote 
this  failure  set  F(0.6,0.8). 

Each  point  in  the  square  region  of  Figure  26  represents  a  constant  failure  in 
7' (0.6,  0.8).  However  not  each  such  point,  if  used  as  a  hypothesized  malfunction, 
would  yield  correct  diagnosis  of  the  malfunctions  in  F(0.6,  0.8).  Let  h  be  a  point  in 
the  square  region  of  Figure  26,  and  consider  the  maximum  likelihood  comparison 
between  h  and  h.\ .  Fqs.(62)  and  (68)  are  used  to  evaluate  D{huh),  the  minimum 
relative  norm  on  (7(0.6,  0.8)  with  respect  to  h\  and  h,.  The  minimum  relative  norm 
for  each  point  h  below  the  curve  in  Figure  27  is  found  to  be  positive,  indicating  that 
these  hypotheses  yield  correct  diagnosis  of  the  failures  in  question,  when  compared 
with  hypothesis  The  minimum  relative  norm  of  all  points  above  the  curve  in 
Figure  27  is  negative,  which  means  that  hypothesized  failures  above  the  curve  will 
not  yield  correct  diagnosis.  Figure  28  shows  a  similar  analysis  based  on  comparison 
with  h7.  Again  the  minimum  relative  norm,  D(h7,h, ),  is  positive  for  points  below 
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the  curve  and  negative  for  points  above  the  curve.  Thus  correct  diagnosis  in 
comparison  with  h2  can  be  achieved  only  if  a  point  below  the  curve  in  Figure  28 
is  included  in  H.  Comparison  of  Figures  27  and  28  shows  that  correct  diagnosis 
with  respect  to  h,x  assures  correct  diagnosis  with  respect  to  h2.  The  analysis  is 
repeated  to  determine  the  hypothesized  malfunctions  which  yield  correct  diagnosis 
in  comparison  with  />.3,  and  the  results  appear  in  Figure  29.  Points  above  the  curve 
yield  correct  diagnosis  of  all  failures  in  F(0.6,  0.8),  while  points  below  the  curve 
do  not.  Overlaying  Figures  27  29  as  in  Figure  30,  shows  that  two  hypothesized 

malfunctions  are  necessary  and  sufficient  to  achieve  correct  diagnosis  of  all  failures 
in  F’(0.6,  0.8).  One  hypothesis  must  lie  between  the  intermediate  and  upper  curves, 
while  one  must  lie  below  the  lowest  curve.  Correct  diagnosis  of  the  failure  set 
F( 0.6,  0.8)  requires  that  two  such  hypotheses  be  included  in  II,  as  long  as  h.x ,  h2  and 
h.3  are  in  II.  Likewise,  unless  additional  hypotheses  are  added  to  II  for  diagnosis  of 
different  failure  sets,  the  two  hypotheses  which  have  been  identified  are  sufficient,  to 
assure  correct  diagnosis  of  /:’(0.6,  0.8).  This  analysis  is  continued  until  conditions 
are  established  for  defining  the  smallest  set  of  hypothesized  malfunctions  which 
assure  correct,  diagnosis  for  each  of  the  specified  failure  sets. 

7.5  Designing  The  Multi-Hypothesis  Diagnosis  of  Closed- 
Loop  Malfunctions 

Let  ii  =  u«,  ih,  where  each  set  //^  contains  malfunctions  drawn  from  the  set 
F(pk)  of  uniformly  bounded  failures.  The  system  is  described  by  eqs.(44)  and  (45), 
and  the  feedback  gain  in  eq.(46)  is  non  zero.  We  wish  to  determine  whether  or 
not  malfunctions  of  type  pk  are  correctly  diagnosed.  F/q.(6fi)  must  be  modified  to 
account  for  the  fact,  that,  due  to  the  feedback  in  the  control  loop,  the  quadratic 
norm  depends  on  the  failure.  Accordingly,  let  g  and  h  belong  to  II  and  define  the 
minimum  relative  norm  on  C(pk)  with  respect  to  g  and  h  as: 

h)  =  mjn  (||  y„  ~  V  ||*  ~  ||  Vh  ~  V  II*)  (69) 
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The  main  result  of  this  section  is  the  evaluation  of  this  minimum  relative  norm. 
Once  that  is  achieved,  the  hypothesized  malfunctions  are  selected  by  the  iterative 
procedure  illustrated  in  section  7.4. 

bet  g  and  h  be  hypothesized  malfunctions,  and  let  yg  and  i />,  be  the  correspond¬ 
ing  average  responses,  bet.  y  —  y  -f  T}  be  an  element  of  C(pk),  where  y  is  defined, 
with  respect  to  the  parameters  pk,  as  in  connection  with  eq.(54)  and  y  =  ap(u>)u> 
as  in  eq.(f>5).  The  expression  to  be  minimized  in  eq.(69)  becomes: 

II  Va  -  V  llg  -  II  Vh  -  y  ||* 

=  {yg-y-  n)Tvg'{yq  -v-v)-(vh-v-  n)TVh'{yh  -  y-  OT 

=  r?rA»?-2C  Ty  +  Ii  (71) 

where  A  =  V~'  -  Kfc_1,  C  =  V~'(yg  -  y)  -  Vh~'(yh  -  y)  and  //  =||  yg  -  y  \\)  -  || 
Hh  —  y  lift  •  Failures  of  type  pk  are  correctly  diagnosed  if,  for  each  g  6  II  —  lit, , 
there  is  an  element  h.  6  //*  such  that: 

Dk(g,h)>  0  (72) 

Referring  to  eq.(5.r))  it  is  evident  that  rj  is  a  vector  of  arbitrary  orientation  whose 
length  does  not  exceed  the  distance  in  direct  ion  rj  of  y  from  the  boundary  of  C(pk). 
Thus  rj  is  constrained  by: 

=  ,7S) 

where  p(ui)  is  determined  numerically  as  explained  in  section  7.2.  This  inequal¬ 
ity  constraint  on  the  maximization  of  eq.(71)  can  be  replaced  by  an  equality  by 
introducing  an  undetermined  quantity,  ft  : 

yTv  +  fl2  =  p{y)  (74) 

Adjoin  the  constraint  to  the  expression  in  eq.(71)  as: 


/)■  -  i;1  Ai;  -  2C1  >?  +  /'+  +  ft7  -  />(*»)) 


(75) 
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Necessary  conditions  for  a  stationary  point  of  eq.(71)  are: 

0  =  ^-  =  2Ar/-2C  +  2Ar?-A^  (76) 

Or)  Or) 

dDm 

0  =  =  2\f)  (77) 

Eq.(77)  together  with  the  constraint  imply  that  A  =  0  if  tjtt)  <  p(rj).  Thus  an 
extremum  of  eq.(71)  occurs  in  the  interior  of  C(pk)  if  the  solution  of: 

\r)  =  C  (78) 

satisfies  rj1  t)  <  p(r)).  If  not,  then  the  extrema  of  eq.(71)  occur  on  the  boundary  of 
C(pk)  and  must  satisfy: 

(A  +  Af)l  =  <+^  (79) 

and 

t)Tt)  =  p{r))  (80) 

Eqs.(78)  (80)  determine  the  constrained  extrema  of  Dk(g,  h).  Failures  of  type 

pk  are  correctly  diagnosed  if  the  condition  in  eq.(72)  is  satisfied. 

The  solution  of  eqs.(79)  and  (80)  is  computationally  somewhat  cumbersome. 
It  is  therefore  useful  to  know  that,  if  A  is  a  positive  definite  matrix,  then  eq.(71) 
has  precisely  one  minimum  and  may  have  several  local  maxima.  Or,  if  A  is  nega¬ 
tive  definite,  then  eq.(71)  has  precisely  one  maximum  and  may  have  several  local 
minima.  If  A  is  indefinite,  then  eq.(71)  can  have  several  minima  and  maxima. 

7.6  Multi-Hypothesis  Diagnosis:  Conclusions 

This  section  has  described  a  method  for  designing  a  maximum-likelihood  multi¬ 
hypothesis  algorithm  for  diagnosing  control-actuator  failures  in  linear  systems. 
Uncertainty  in  the  temporal  behavior  of  a  malfunctioning  actuator  is  represented 
by  employing  the  set  theoretic  technique  called  convex  modelling.  For  open-loop 
systems  (autonomous  controllers)  the  diagnosis  algorithm  is  designed  by  solving 


8  CONCLUDING  REMARKS  AND  FUTURE  RESEARCH 


70 


a  sequence  of  linear  optimization  problems.  For  closed-loop  feedback  systems  the 
design  of  the  diagnosis  algorithm  requires  the  solution  of  non-linear  equations.  The 
resulting  diagnosis  algorithm  is  robust  and  efficient.  Robust  in  that  the  diagnosis 
invariably  distinguishes  between  failure  sets  which  represent  complex  uncertainty 
in  the  temporal  form  of  the  malfunctions.  Efficient  in  that  no  smaller  set  of  hy¬ 
pothesized  malfunctions  could  achieve  correct  diagnosis  of  the  required  classes  of 
failures.  The  significance  of  this  result  is  that  design  of  an  algorithm  for  diag¬ 
nosis  of  control  actuator  failure  can  be  based  on  a  systematic  and  numerically 
implementable  procedure  which  yields  the  best  possible  algorithm,  in  the  sense  of 
robustness  and  efficiency  defined  here. 

8  Concluding  Remarks  and  Future  Research 

The  diagnosis  of  additive  failures  in  a  linear  dynamic  system  has  been  studied 
in  this  project.  This  class  of  failures  includes  control-actuator  failures,  which 
are  emphasized  in  this  report.  Several  theoretical  concepts  relating  to  the  design 
of  control-actuator  failure-diagnosis  have  been  developed.  Illustrative  numerical 
examples  have  been  presented  based  on  a  linearized  steady-flight  model  of  the 
AFTI/F16  aircraft. 

T  he  successful  diagnosis  of  failure  relies  on  knowledge  of  the  malfunction  phe¬ 
nomenon  in  general.  However,  malfunction  is  usually  so  complicated  that  it  is 
unfeasible  to  formulate  a  probability  measure  which  expresses  the  relative  likeli¬ 
hood  of  each  of  the  infinite  range  of  possible  specific  malfunctions.  On  the  other 
hand,  sufficient  partial  information  is  often  available  with  which  to  formulate  a 
set-theoretic  convex  model  of  failure  uncertainty.  This  approach  has  been  adopted 
in  the  present  study. 

Convex  modelling  provides  two  distinct  tools  for  optimization  of  malfunction 
diagnosis  algorithms.  The  first,  called  benchmark  diagnosis,  is  an  assessment  of 
the  best  state  spare  malfunction  diagnosis  capability  which  can  be  obtained  by  any 
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algorithm,  whether  based  on  the  multi-hypothesis  maximum-likelihood  concept  or 
not.  Evaluation  of  the  optimum  distinguishability  is  useful  as  a  benchmark,  against 
which  the  performance  of  implementable  algorithms  can  be  compared.  Conclusions 
regarding  benchmark  diagnosis  in  general  and  its  application  to  aircraft  systems 
in  particular  have  been  discussed  in  section  6.5. 

The  second  tool  provided  by  convex  modelling,  called  multi-hypothesis  dis¬ 
tinguishability,  enables  assessment  of  the  malfunction  diagnosis  performance  of  a 
specific  multi  hypothesis  algorithm.  This  enables  the  quantitative  comparison  of 
the  performance  of  multi-hypothesis  malfunction  diagnosis  algorithms  based  on 
distinct  sets  of  failure  hypotheses.  Optimization  of  the  malfunction  diagnosis  al¬ 
gorithm  is  based  on  these  comparisons.  Implications  of  the  results  concerning 
multi-hypothesis  diagnosis  are  discussed  in  section  7.6. 

Several  areas  of  further  research  are  of  immediate  interest.  Many  engineer¬ 
ing  systems  of  importance  in  aeronautics  and  other  fields  display  malfunctions 
which  may  be  modelled  as  additive  failures.  The  application  of  convex  modelling 
to  such  systems  can  be  pursued.  This  may  include  either  different  aerodynamic 
models  than  the  one  studied  in  this  report,  or  different  classes  of  failures.  Alter¬ 
natively,  convex  modelling  can  be  applied  to  the  development  and  optimization 
of  algorithms  for  malfunction  diagnosis  in  sub-systems,  such  as  inertial  navigation 
systems. 

An  additional  problem  area  is  the  study  of  the  algorithmic  basis  of  convex 
modelling.  The  development  of  efficient  computer  algorithms  for  evaluating  the 
disjointness  of  convex  sets  is  essential  for  a  large  scale  benchmark  analysis.  Rapid 
algorithms  for  evaluating  the  minimum  relative  norm  are  needed  for  optimizing 
the  design  of  a  multi-hypothesis  diagnosis  algorithm  in  a  large  complex  system. 

A  further  area  of  importance  is  the  incorporation  of  the  diagnosis  task  in  the 
overall  framework  of  malfunction  management.  Diagnosis  of  failure  should  lead  to 
the  implementation  of  a  compensatory  controller  whose  task  is  to  lead  to  graceful 
recovery  of  the  system.  Central  unsolved  problems  are: 
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1.  Design  the  diagnosis  algorithm  to  incorporate  the  subsequent  needs  of  the 
compensatory  controller. 

2.  Synthesize  the  compensatory  controller. 

3.  Integrate  the  tasks  of  failure  diagnosis  and  failure  compensation  so  that 
management  of  the  malfunction  begins  to  be  implemented  before  learning  of 
the  failure  has  been  completed. 

A  final  area  of  interest  for  further  work  is  the  study  of  non-additive  failures. 
Important  classes  of  malfunctions  deviate  from  the  assumption  of  additivity.  In 
particular,  those  failures  in  which  the  model  parameters  (e.g.  aerodynamic  coeffi¬ 
cients)  undergo  alteration  violate  the  assumption  of  additivity.  In  such  cases  the 
property  of  convexity  of  the  failure  set  is  still  plausible,  and  the  general  mode  of 
thought  of  convex  modelling  is  still  relevant.  However,  difficulties  develop  which 
need  to  be  studied  both  analytically  and  numerically. 

Appendix 

Plausibility  of  Convex  Models  of  Uncertainty 

In  a  set  theoretic  model  of  malfunction  uncertainty  the  malfunction  is  modelled 
as  a  time-  or  space  dependent  vector  function  drawn  from  a  set  of  possible  func¬ 
tions.  We  wish  to  identify  conditions  in  which  it  is  plausible  to  assume  such  sets  of 
functions  are  convex.  The  central  limit  theorem  will  motivate  our  discussion.  Let 
(j i , . .  • ,  be  independent,  identically  distributed  random  variables  with  zero  mean 
and  finite  variance.  As  n  oo  the  distribution  of  the  sum  /  =  tends  to  a 

normal  distribution,  regardless  of  how  the  <7,  are  distributed.  The  physical  analog 
of  this  theorem  suggests  that  if  a  certain  mensurable  macroscopic  quantity  / 
e.g.  a  voltage  or  a  temperature  is  the  superposition  of  numerous  random,  inde¬ 
pendent  and  identically  distributed  microscopic  variables  <7,,  then  we  should  expect 
the  macroscopic  quantity  /  to  display  a  gaussinn  distribution,  regardless  of  how 
the  <7;  are  distributed.  Indeed,  this  expectation  is  fulfilled  in  many  circumstances. 
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Now  let,  us  consider  a  set-theoretic  approach  to  modelling  the  uncertainty  of 
a  time-dependent  macroscopic  vector  function  /.  Let  T  be  a  set  of  vector- valued 
functions.  For  a  positive  integer  n,  consider  the  set  of  functions: 

*’»  =  {/:  m=l-±.9.(t)  ,  a,  e  r  ,  i  =  (81) 

It  is  well  known  (Aumann,  1965;  Artstein,  1974;  Artstein  and  Hansen,  1985)  that, 
as  n  — >  oo,  the  sequence  of  sets  Fn  converges  to  the  convex  hull  of  T.  This  result 
invites  the  following  physical  interpretation.  If  a  macroscopic  time-dependent 
vector  /(/)  (such  as  a  malfunction)  is  formed  as  the  superposition  of  numerous 
microscopic  time- varying  events  <7,(<)  chosen  from  a  set  F,  then  the  set  of  all  such 
functions  /(/)  will  tend  to  be  convex,  regardless  of  the  structure  of  the  set  F. 
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